(1) This Procedure is effective from 4 June 2018. (2) This Procedure documents requirements for the control of University data and information. (3) This Procedure applies to all University data, information and records, whether received, created, maintained, copied, disseminated or disposed of by the University in the course of its operations. (4) This Procedure is pursuant to the Information and Records Management policy. (5) The Information and Records Services Team, in collaboration with other organisational units of the University as required, will facilitate awareness and training activities for staff in relation to information and records management, including information classification and recordkeeping requirements. (6) Information Owners will implement information and records management practices for their organisational unit, including determining appropriate information classification. (7) Managers will ensure that their staff members, including consultants and contractors, are aware of and educated about information and records management, including the information classification and recordkeeping requirements appropriate to their role. (Refer to the Information and Records Services website for further information.) (8) Staff will undertake the information classification and recordkeeping requirements required by their role, to preserve the confidentiality, integrity and availability of information, and will not damage, conceal or give unauthorised access to information. (9) If classification of information is unclear, the information must be protected in a manner consistent with the more secure of the possible classification levels until the information owner can apply the correct classification, which must be done within 20 working days of creation or receipt. (10) Unless otherwise stated, all externally provided information that is not clearly in the public domain should be restricted to access by staff only. (11) All confidential, personal and proprietary Information will be stored, in the first instance, in primary storage devices. (12) Where there is a clear business requirement, copies of confidential, personal and proprietary information may be temporarily stored on portable storage devices administered by the University, but only where the storage device is physically secured to prevent unauthorised access and, if electronic, the files containing the Information are password protected. (13) Where there is a clear business requirement to have copies of confidential, personal or proprietary Information on devices provided by an external service provider, staff will submit requests to the University Information Manager or nominee as stated in the Data Use Agreement and/or Privacy Impact assessments, who will determine whether to approve the request. (14) All data and information held electronically will be stored and secured according to technology standards defined by the Chief Digital Officer. (15) The Head of Organisational Unit that is responsible for devices or applications in which information is managed or stored, will ensure that access to those devices or applications is given on a needs basis and that access rights are reviewed at least annually. (16) Staff will not dispose of a record except: (17) Staff will not destroy information where the information: (18) The Information and Records Services Team will assess and manage records judged to be of archival value or requiring long-term storage and preservation. (19) All members of the University should immediately report any suspected or perceived breach of the Information and Records Management policy, Procedure or Guidelines, or associated legislation, to their relevant Head of Organisational Unit in the first instance, the University Information Manager or as appropriate under other legislative and policy provisions. (20) Breaches will be investigated, and disciplinary action will be taken as appropriate. (21) For the purpose of this Procedure:Information and Records Management procedure
Section 1 - Preamble
Section 2 - Purpose
Section 3 - Scope
Section 4 - Policy
Section 5 - Procedure
Information Management Framework
Information classification
Information storage
Access
Disposal
Archives
Breaches
Section 6 - Definitions
View Current
This is not a current document. To view the current version, click the link in the document's navigation bar.